#xviii Beyond Citations | The utility of third line of defence
While offence and defence can take care of cyber adversaries, can the third line of defence approach safeguard India on the cyber front irrespective of actor type?
As the Russian invasion of Ukraine and the subsequent war completed three gruelling years, Russian president Putin and Chinese president Xi reaffirmed their no-limits partnership. It was only expected that Russia and China, which have historically shared a relationship defined by uneasiness and ups-and-downs, would come closer together in the contemporary geopolitical environment. Russia felt encircled by an expanding NATO while China could not stand the US’ pivot to the Indo-Pacific and a mushrooming Quad. Therefore when the West began sharing money, weapon systems and intelligence with Ukraine in a massive way barely few days into the Russian invasion, Putin’s embrace of Xi only strengthened.
This partnership, that goes back a couple decades at the very least, also included the cyber element. Both states have publicly affirmed in 2015 that they would not mount cyberattacks against each other. As Elaine Korzak’s piece for The Diplomat translates the article 4 of the Russia-China agreement:
Each Party has an equal right to the protection of the information resources of their state against misuse and unsanctioned interference, including computer attacks against them. Each Party shall not exercise such actions with respect to the other Party and shall assist the other Party in the realization of said right.
So far so good. But then the New York Times on 19 June 2025 broke a story of how Chinese hackers were targeting the Russian war effort:
Since the beginning of the war in Ukraine, groups linked to the Chinese government have repeatedly hacked Russian companies and government agencies in an apparent search for military secrets, according to cyberanalysts.
The intrusions started accelerating in May 2022, just months after Moscow’s full-scale invasion. And they have continued steadily, with Chinese groups worming into Russian systems even as President Vladimir V. Putin of Russia and President Xi Jinping of China publicly professed a momentous era of collaboration and friendship.
The public revelation of Chinese hacking attempts directed at Russians raises some pertinent questions which are quite relevant for India. Usually a state reserves its cyber capabilities of both the offensive and defensive kind towards its primary adversaries. But what about non-adversary states?
One idea to safeguard India on the cyber front irrespective of actor type is to ensure a base-level of cyber hygiene and best practices by strengthening the third line of defence in cyberspace. But what is this third line of defence?
Valkenburg and Bongiovanni provide answers in their following 2024 review paper:
Valkenburg, B., & Bongiovanni, I. (2024). Unravelling the Three Lines Model in Cybersecurity: A Systematic Literature Review. Computers & Security, 139, 103708. https://doi.org/10.1016/j.cose.2024.103708 (open access)
At the very outset of the paper, the authors express a basic caution about cybersecurity — cyber is not just all technical (firewall and encryption systems, for instance) but also about ‘organisational, human, and governance dimensions.’ It is a realisation of the multifaceted nature of cybersecurity that has aided the application of the three lines of defence model to the cyber domain. The model itself was originally conceived and applied in the financial world, with the UK's Financial Services Authority and the Institute of Internal Auditors playing a key role in 2003 and 2013 in its propagation, respectively.
The first line of defence in an organisation typically involves IT professionals engaging in operational cyber matters. Chief information security officers are the key responsible parties in the first line. The second line of defence involves professionals taking care of risk management and regulatory compliance. The second line also engages in setting policies.
The third line of defence strengthens the cyber preparedness and resilience of an organisation through critical oversight on the first and second lines of defence.
The third line is embodied by the internal audit function, which oversees the efficacy of the first and second lines. This function is pivotal in offering assurance to executive management and the board regarding the adequacy of controls and the appropriate management of cyber risks. The internal audit’s role is instrumental in fortifying the cyber risk management strategy by validating the adequacy of the organisation’s controls and ensuring appropriate management of cyber-risks.
It is this third line of defence that is often overlooked in cybersecurity discussions. Usually the first line of defence ends up hogging most of the limelight.
Defense-in-depth through the three lines model is one potential way through which Indian organisations can enhance their cyber posture irrespective of whether the malicious actor is a friend or foe.
What could be other ways? Share your views in the comments section below.
Acknowledgement: Thanks to Karthik Bappanad (independent cybersecurity consultant) for suggesting the exploration of the application of three lines of defence model to the cyber domain.